Our ongoing commitment to security
We support the security needs of our members and the library community through regular communications and transparency about our processes, goals, certifications, and principles.
At OCLC, we have robust controls in place to maintain strict security for data and services in the cloud. Our governance processes are focused on compliance and audit standards to ensure access to data is always in secure, controlled environments.
Strategic security goals
- Protect information and systems by focusing on safeguarding the confidentiality, integrity, availability, and resiliency of data and critical information systems to ensure our ability to deliver services to customers and employees.
- Reduce security risk by creating the culture, frameworks, and processes required to address security risks.
- Enhance security capabilities by developing the practices, processes, workforce, and overall security capabilities required to protect OCLC from security threats and ensure continual improvement to face tomorrow’s security challenges. We do this while aligning security priorities with business needs and strategies.
- Approach security at the enterprise level, enhancing security across the entire organization through the establishment of company-wide security programs, best practices, common frameworks, and information security policies.
- Lead the library community as a partner for helping libraries, vendors, publishers, and other partners in the sector enhance their security through workshops, educational opportunities, and collaborative opportunities.
Certifications and attestations
FedRAMP: US Federal Government approved cloud provider marketplace
The Federal Risk and Authorization Management Program (FedRAMP) is a United States federal government program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP mandates a core set of processes to ensure effective, repeatable cloud security for cloud service offerings that hold federal government data. OCLC maintains a FedRAMP Li-SAAS authority to operate (ATO).
Information security management standard Summary ISO/IEC 27001 is a security standard that formally specifies an Information Security Management System (ISMS) that is intended to bring information security under explicit management control. It mandates requirements that define how to implement, monitor, maintain, and continually improve the ISMS. This certification helps OCLC comply with numerous regulatory and legal requirements that relate to the security of information.
Personally Identifiable Information (PII) data protection standard Summary ISO/IEC 27018 is an international code of practice for cloud privacy. Based on EU data-protection laws, it gives specific guidance to cloud service providers (CSPs) acting as processors of personally identifiable information (PII) on assessing risks and implementing state-of-the-art controls for protecting PII.
SOC 2: Security, availability, processing integrity and confidentiality standard
The SOC 2 is a report based on the Auditing Standards Board of the American Institute of Certified Public Accountants' (AICPA) existing Trust Services Criteria (TSC). The purpose of this audit is to evaluate an organization’s information systems relevant to security, availability, processing integrity, and confidentiality.
Certification on file
Cloud Security Alliance: Cloud security and privacy standard
The CSA Security Trust Assurance and Risk program promotes the use of best practices for providing security assurance within cloud computing. OCLC participates in the voluntary CSA Security, Trust & Assurance Registry (STAR) to document compliance with CSA- published security and privacy controls.
Certification on file
EU Cybersecurity Act: European cybersecurity standard
The EU Cybersecurity Act establishes a cybersecurity framework for digital products and services. The cybersecurity framework defines required security controls companies must follow when doing business in the EU.
OCLC undergoes an annual ISO 27001 audit to demonstrate compliance with this regulation
Italy AGID: Italian approved cloud provider marketplace
The Agency for Digital Italy (AgID) coordinates the policies in the field of innovation and actively supports the spread of information and communication technologies in favor of Public Administration digitization and modernization. All its guidelines and its actions are developed at National and European level in a unitary and consistent perspective to federate the technological infrastructure, to ensure safety and reliability to the preservation and management of public data and to provide integrated and shared high-quality services.
Spain Esquema Nacional de Seguridad (ENS): Spain cybersecurity standard
The ENS accreditation scheme has been developed by the Ministry of Finance and Public Administration and the CCN (National Cryptologic Centre). This scheme is comprised of basic principles and minimum requirements necessary for the adequate protection of information.
Certification on file
United Kingdom Cyber Essentials: UK cybersecurity standard
Cyber Essentials is a UK government-backed scheme designed to help organizations assess and mitigate risks from common cyber security threats to their IT systems. The Cyber Essentials scheme is a cybersecurity standard that identifies security controls for an organization to have in place within their IT systems. Cyber Essentials scheme is a requirement for all UK government suppliers handling any personal data.
All of these are regularly assessed by third parties and/or independent auditors, and result in a certification, audit report, or confirmation of compliance (unless otherwise specified). Compliance alignments and frameworks include published requirements for specific purposes.
Strategic security principles
At OCLC, we believe that all our efforts to improve security must:
- Properly reflect the borderless, interconnected, and global nature of today’s environment
- Be based on risk management
- Involve all OCLC employees
- Adapt rapidly to emerging threats, technologies, and business models
- Focus on bad actors and their threats